Skip to content

Instantly share code, notes, and snippets.

@numanturle

numanturle/frida_multiple_unpinning.js

Forked from akabe1/frida_multiple_unpinning.js
Created January 10, 2021 00:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save numanturle/dcca3c76fb1e3c6f63e3232c4ff12d8c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save numanturle/dcca3c76fb1e3c6f63e3232c4ff12d8c to your computer and use it in GitHub Desktop.
Download ZIP
Another Android ssl certificate pinning bypass for various methods
Raw
frida_multiple_unpinning.js
/* Android ssl certificate pinning bypass script for various methods
by Maurizio Siddu
Run with:
frida -U -f [APP_ID] -l frida_multiple_unpinning.js --no-pause
*/
setTimeout(function() {
Java.perform(function () {
console.log('');
console.log('======');
console.log('[#] Android Bypass for various Certificate Pinning methods [#]');
console.log('======');
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
// TrustManager (Android < 7)
var TrustManager = Java.registerClass({
// Implement a custom TrustManager
name: 'dev.asd.test.TrustManager',
implements: [X509TrustManager],
methods: {
checkClientTrusted: function (chain, authType) {},
checkServerTrusted: function (chain, authType) {},
getAcceptedIssuers: function () {return []; }
}
});
// Prepare the TrustManager array to pass to SSLContext.init()
var TrustManagers = [TrustManager.$new()];
// Get a handle on the init() on the SSLContext class
var SSLContext_init = SSLContext.init.overload(
'[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom');
try {
// Override the init method, specifying the custom TrustManager
SSLContext_init.implementation = function(keyManager, trustManager, secureRandom) {
console.log('[+] Intercepted Trustmanager (Android < 7) request');
SSLContext_init.call(this, keyManager, TrustManagers, secureRandom);
};
console.log('[+] Bypassing TrustManager (Android < 7) pinning');
} catch (err) {
console.log('[-] TrustManager (Android < 7) pinner not found');
}
// okhttp3 (double bypass)
try {
var okhttp3_Activity = Java.use('okhttp3.CertificatePinner');
okhttp3_Activity.check.overload('java.lang.String', 'java.util.List').implementation = function (str) {
console.log('[+] Intercepted OkHTTP3 {1}: ' + str);
return true;
};
// This method of CertificatePinner.check could be found in some old Android app
okhttp3_Activity.check.overload('java.lang.String', 'java.security.cert.Certificate').implementation = function (str) {
console.log('[+] Intercepted OkHTTP3 {2}: ' + str);
return true;
};
console.log('[+] Bypassing OkHTTP3 pinning');
} catch (err) {
console.log('[-] OkHTTP3 pinner not found');
}
// Trustkit (triple bypass)
try {
var trustkit_Activity = Java.use('com.datatheorem.android.trustkit.pinning.OkHostnameVerifier');
trustkit_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
console.log('[+] Intercepted Trustkit {1}: ' + str);
return true;
};
trustkit_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
console.log('[+] Intercepted Trustkit {2}: ' + str);
return true;
};
var trustkit_PinningTrustManager = Java.use('com.datatheorem.android.trustkit.pinning.PinningTrustManager');
trustkit_PinningTrustManager.checkServerTrusted.implementation = function () {
console.log('[+] Intercepted Trustkit {3}');
}
console.log('[+] Bypassing Trustkit pinning');
} catch (err) {
console.log('[-] Trustkit pinner not found');
}
// TrustManagerImpl (Android > 7)
try {
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
console.log('[+] Intercepted TrustManagerImpl (Android > 7): ' + host);
return untrustedChain;
};
console.log('[+] Bypassing TrustManagerImpl (Android > 7) pinning');
} catch (err) {
console.log('[-] TrustManagerImpl (Android > 7) pinner not found');
}
// Appcelerator Titanium
try {
var appcelerator_PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager');
appcelerator_PinningTrustManager.checkServerTrusted.implementation = function () {
console.log('[+] Intercepted Appcelerator');
};
console.log('[+] Bypassing Appcelerator pinning');
} catch (err) {
console.log('[-] Appcelerator pinner not found');
}
// OpenSSLSocketImpl
try {
var OpenSSLSocketImpl = Java.use('com.android.org.conscrypt.OpenSSLSocketImpl');
OpenSSLSocketImpl.verifyCertificateChain.implementation = function (certRefs, authMethod) {
console.log('[+] Intercepted OpenSSLSocketImpl');
};
console.log('[+] Bypassing OpenSSLSocketImpl pinning');
} catch (err) {
console.log('[-] OpenSSLSocketImpl pinner not found');
}
// PhoneGap sslCertificateChecker (https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin)
try {
var phonegap_Activity = Java.use('nl.xservices.plugins.sslCertificateChecker');
phonegap_Activity.execute.overload('java.lang.String', 'org.json.JSONArray', 'org.apache.cordova.CallbackContext').implementation = function (str) {
console.log('[+] Intercepted PhoneGap sslCertificateChecker: ' + str);
return true;
};
console.log('[+] Bypassing PhoneGap sslCertificateChecker pinning');
} catch (err) {
console.log('[-] PhoneGap sslCertificateChecker pinner not found');
}
// IBM MobileFirst pinTrustedCertificatePublicKey
try {
var WLClient = Java.use('com.worklight.wlclient.api.WLClient');
WLClient.getInstance().pinTrustedCertificatePublicKey.implementation = function (cert) {
console.log('[+] Intercepted IBM MobileFirst pinTrustedCertificatePublicKey');
return;
};
console.log('[+] Bypassing IBM MobileFirst pinTrustedCertificatePublicKey pinning');
} catch (err) {
console.log('[-] IBM MobileFirst pinTrustedCertificatePublicKey pinner not found');
}
// IBM WorkLight (ancestor of MobileFirst) HostNameVerifierWithCertificatePinning (quadruple bypass)
try {
var worklight_Activity = Java.use('com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning');
worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSocket').implementation = function (str) {
console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {1}: ' + str);
return;
};
worklight_Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) {
console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {2}: ' + str);
return;
};
worklight_Activity.verify.overload('java.lang.String', 'java.util.List', 'java.util.List').implementation = function (str) {
console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {3}: ' + str);
return;
};
worklight_Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) {
console.log('[+] Intercepted IBM WorkLight HostNameVerifierWithCertificatePinning {4}: ' + str);
return true;
};
console.log('[+] Bypassing IBM WorkLight HostNameVerifierWithCertificatePinning pinning');
} catch (err) {
console.log('[-] IBM WorkLight HostNameVerifierWithCertificatePinning pinner not found');
}
// CWAC-Netsecurity (unofficial back-port pinner for Android < 4.2) CertPinManager
try {
var CertPinManager_Activity = Java.use('com.commonsware.cwac.netsecurity.conscrypt.CertPinManager');
CertPinManager_Activity.isChainValid.overload('java.lang.String', 'java.util.List').implementation = function (str) {
console.log('[+] Intercepted CWAC-Netsecurity CertPinManager: ' + str);
return true;
};
console.log('[+] Bypassing CWAC-Netsecurity CertPinManager pinning');
} catch (err) {
console.log('[-] CWAC-Netsecurity CertPinManager pinner not found');
}
});
}, 0);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment